In the beginning of June, Republican presidential candidate Mitt Romney had his Hotmail and Dropbox accounts hacked. The hacker did this by guessing the correct answer to Romney’s security question “What is your favorite pet?” The hacker then went in and changed the passwords for the two accounts. The hacker stated in an email he sent bragging of the breach that he was not a member of Anonymous and had never done something like this before. The breach suggested that Romney, or his aides were used the same password across multiple web services. The Romney campaign confirmed that a related investigation is underway, however they did not describe in detail which accounts may have been hacked or whether they were used for personal communications by Romney.
A similar event occurred in 2008 when Republican candidate for vice president Sarah Palin had her Yahoo Mail account hacked. The hacker, David C. Kernell, guessed her Yahoo Mail password “popcorn” and leaked screenshots and text files to WikiLeaks. Kernell was convicted by a federal jury in April 2010 of obstruction of justice and unauthorized access to a computer. The rise of webmail has led to many questions regarding the degree to which government communications are being captured for records. Government officials as well as others believe that private email addresses raise transparency questions. Furthermore, these communications are more liable to being intercepted by hackers or intelligence agencies.
The attack on Romney’s accounts may have been prevented had a number of controls been in place. First, while automated password resets using secret questions may be helpful, Romney used a question and answer that could have been easily guessed with little research. Romney should have used more difficult answers that would not have been easily guessed. Second, Romney and his aides should not have used the same password for multiple sites. In Sarah Palin’s case, her attack may have been prevented had she used a stronger password that was not so easy to crack.
Malware for Macs Lucrative, Security Researchers Say:
Earlier in the year, cybercriminals embarked in one of the largest-scale malware attacks on Apple computers to date. The malware, called Flashback, targets Mac users by infecting their machines with a Trojan through a security hole in Java software. The hole was patched by Oracle last February; however Apple did not patch the security hole until early April. In that six week period, Flashback spread to over half a million computers. The malware downloaded itself onto the Victim’s machine when they visited Web sites that had been hijacked. Flashback did not require the victim to click on a malicious link nor open a compromised attachment in order to download itself on the victim’s computer.
The creation of Flashback was financially motivated as its creator’s made an estimated $10,000 a day through click fraud. Flashback allowed infected computers to click on Web advertisements that were manipulated in exchange for kickbacks. According to researchers who studied Flashback’s code, when a victim used a search engine such as Google, the first site the search engine would send the victim to was the attackers site instead of a normal site and the attackers, not Google, would get 8 cents for the click.
Two weeks after Apple released a security patch, the number of infected users dropped from 600,000 to 140,000; however researchers say that only weeks after Apple released the security patch, a new variation of Flashback, Flashback.S was discovered. Flashback.S spreads the same way as Flashback – through Java vulnerability. It is believed that Flashback.S is more than likely being used for the same purposes as Flashback.
Apple has recommended two things to either remove Flashback from a victim’s computer or prevent Flashback from being downloaded onto a person’s computer. First, they encouraged users to run their software updates to remove Flashback and prevent Flashback from being downloaded onto their computer. Second, Apple also has a Flashback removal tool which users are able to download from Apple’s support site, which will let users know if their computer is infected. Additionally, while Apple did release a patch to correct the error, many of the attacks could have been prevented had Apple done more to release the Java patch earlier. Apple was made well aware of the security hole in February and did not release a patch for the security hole nor did they notify most of their users until early April. Had Apple released the patch sooner, it may have prevented many of the 600,000 computers from becoming infected in the first place.
Romney Campaign Investigates Hotmial Account Hack:
In the beginning of June, Republican presidential candidate Mitt Romney had his Hotmail and Dropbox accounts hacked. The hacker did this by guessing the correct answer to Romney’s security question “What is your favorite pet?” The hacker then went in and changed the passwords for the two accounts. The hacker stated in an email he sent bragging of the breach that he was not a member of Anonymous and had never done something like this before. The breach suggested that Romney, or his aides were used the same password across multiple web services. The Romney campaign confirmed that a related investigation is underway, however they did not describe in detail which accounts may have been hacked or whether they were used for personal communications by Romney.A similar event occurred in 2008 when Republican candidate for vice president Sarah Palin had her Yahoo Mail account hacked. The hacker, David C. Kernell, guessed her Yahoo Mail password “popcorn” and leaked screenshots and text files to WikiLeaks. Kernell was convicted by a federal jury in April 2010 of obstruction of justice and unauthorized access to a computer. The rise of webmail has led to many questions regarding the degree to which government communications are being captured for records. Government officials as well as others believe that private email addresses raise transparency questions. Furthermore, these communications are more liable to being intercepted by hackers or intelligence agencies.
The attack on Romney’s accounts may have been prevented had a number of controls been in place. First, while automated password resets using secret questions may be helpful, Romney used a question and answer that could have been easily guessed with little research. Romney should have used more difficult answers that would not have been easily guessed. Second, Romney and his aides should not have used the same password for multiple sites. In Sarah Palin’s case, her attack may have been prevented had she used a stronger password that was not so easy to crack.
Malware for Macs Lucrative, Security Researchers Say:
Earlier in the year, cybercriminals embarked in one of the largest-scale malware attacks on Apple computers to date. The malware, called Flashback, targets Mac users by infecting their machines with a Trojan through a security hole in Java software. The hole was patched by Oracle last February; however Apple did not patch the security hole until early April. In that six week period, Flashback spread to over half a million computers. The malware downloaded itself onto the Victim’s machine when they visited Web sites that had been hijacked. Flashback did not require the victim to click on a malicious link nor open a compromised attachment in order to download itself on the victim’s computer.The creation of Flashback was financially motivated as its creator’s made an estimated $10,000 a day through click fraud. Flashback allowed infected computers to click on Web advertisements that were manipulated in exchange for kickbacks. According to researchers who studied Flashback’s code, when a victim used a search engine such as Google, the first site the search engine would send the victim to was the attackers site instead of a normal site and the attackers, not Google, would get 8 cents for the click.
Two weeks after Apple released a security patch, the number of infected users dropped from 600,000 to 140,000; however researchers say that only weeks after Apple released the security patch, a new variation of Flashback, Flashback.S was discovered. Flashback.S spreads the same way as Flashback – through Java vulnerability. It is believed that Flashback.S is more than likely being used for the same purposes as Flashback.
Apple has recommended two things to either remove Flashback from a victim’s computer or prevent Flashback from being downloaded onto a person’s computer. First, they encouraged users to run their software updates to remove Flashback and prevent Flashback from being downloaded onto their computer. Second, Apple also has a Flashback removal tool which users are able to download from Apple’s support site, which will let users know if their computer is infected. Additionally, while Apple did release a patch to correct the error, many of the attacks could have been prevented had Apple done more to release the Java patch earlier. Apple was made well aware of the security hole in February and did not release a patch for the security hole nor did they notify most of their users until early April. Had Apple released the patch sooner, it may have prevented many of the 600,000 computers from becoming infected in the first place.
45/50